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Introduction 


The author has a PhD in cybernetics, in ‘Deception-detection and machine intelligence in Practical 
Turing test’ from Reading University. She teaches ‘the human right to privacy online’ as part of her 
artificial intelligence, creativity, and ethics first year undergraduate subject in the School of 
Computing, Electronics and Mathematics at Coventry University. She also directs the science on an 
EU funded project (CSI-COP) engaging the general public as citizen scientists to investigate 
compliance of the general data protection regulation (GDPR). This is with respect to informed 
consent and transparency in cookie notices and privacy policies in websites and apps. The purpose 
of submitting this evidence is to highlight the extent of online tracking, including in digital healthcare 
artefacts, which could prevent the surrendering of personal health data to support necessary medical 
research. 


Threats to securing data online 


Trust in organisational IT capability, to protect the digitised personal data of its patrons, is diminished 
when the general public learn how easy it is for online intruders to access it. The reduction of trust in 
authorities’ data protection follows numerous examples of data breaches reported in the media. For 
example, the 2017 WannaCry malware infection “decimated networks around the globe, from entire 
healthcare systems to banks and national telecommunications companies”*. The WannaCry hack 
struck the UK’s National Health Service (NHS) with “81 NHS organisations in England affected, a 
third of the total”?. According to an investigation by The National Audit Office (NAO): “19,500 
medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals 
had to divert ambulances elsewhere.”” . NAO’s report declared that the Department of Health and the 
NHS need to follow “basic IT security best practice” and “get their act together to ensure the NHS is 
better protected against future attacks”?. 


Data-privacy safeguarding challenges 


Besides hacking, trust can be eroded when there is absence of research consent from patients, and 
incidents of uninformed medical data sharing between organisations come to light. Julia Powles’ and 
Hal Hodson’s 2017 article? documented patients’ medical data passing from the Royal Free London 
NHS Foundation Trust, “one of the largest healthcare providers in Britain’s publicly funded National 
Health Service” to a third-party: Google’s DeepMind?. Powles and Hodson reported: “The data that 
DeepMind processed under the Royal Free project was transferred to it without obtaining explicit 
consent from—or even giving any notice to—any of the patients in the dataset”. The Royal Free’s 
actions, failing to gain consent before sharing identifiable patients’ records, contravened the data 
protection act (DPA) in place at the time. The Information Commissioner’s office (ICO), the UK’s 
independent authority to “uphold information rights in the public interest’’* concluded that the Royal 
Free “had not done enough to inform patients that their information was being processed by 
DeepMind”>. The ICO added that “there was a lack of transparency” concerning how this NHS Trust 
“were using patient information”’. Thus, the ICO found that “patients could not exercise their 
statutory right to object to the processing of their information’”?. 
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An example of distrust in healthcare technologies arises from Babylon Health. Babylon Health 
markets itself as a “leading value-based care company” that claims to “reengineer how people engage 
with their care at every stage of the healthcare continuum’’®. Endorsed by a previous UK Health 
Secretary, Matt Hancock’, Babylon Health’s digitised healthcare offers access to medical doctors 
through its smartphone app. Unsurprisingly, Babylon Health suffered a data breach’. Users found they 
could access video recordings of other Babylon Health app users’ consultations with doctors. One 
Babylon Health care user “noticed he had about 50 videos in the Consultation Replays section of the 
app that did not belong to him’’*. This user found that “Clicking on one revealed that the file contained 
footage of another person's appointment.’”’’. A further issue with Babylon Health app is its embedded 
third-party trackers. This app also requests permissions to access various functions or data in a user’s 
device (such as access to camera; device location). According to the free online Android app analysis 
tool, Exodus Privacy’ version 4.18.2.36555000 of the Babylon Health app has 9 embedded trackers, 
including Facebook analytics and Facebook Login (Figure1). Additionally, Babylon Health app 
contains 26 permissions to access various functions in the app user’s device (Figurel). These 
permissions include access to: 


e precise location (GPS and network based) 

e camera 

e read contents of SD card (secure digital removable memory card) 
e modify or delete contents of SD card. 
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Figure 1 Babylon Health app analysis in Exodus Privacy: https://bit.ly/3IvTLOi 


Exodus Privacy’s analysis of Babylon Health app caveats that “This report lists trackers signatures 
found by static analysis in this APK. This is not a proof of activity of these trackers. The application 
could contain tracker(s) we do not know yet”!?. It is obvious why Babylon Health app would need 
access to a user’s camera, to upload and share videos or images during or following consultations. 
However, it is unclear why Babylon Health’s personal and medical app should allow third-party 
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trackers, including Google Firebase Analytics. This digital analytics tracker provides a “free app 
measurement solution that provides insight on app usage and user engagement”"'. It must be noted 
that Google are subject to anti-trust litigation in the United States District Court- Southern District of 
New York. This is for a civil case (Civil Action No.: 1:21-md-03010-PKC) brought by different states 
in the US against Google LLC’. Paragraph 175, on page 64 in the court document of this civil action 
exposes Google’s attitude to privacy!: 


“Google presents a public image of caring about privacy, but behind the scenes 
Google coordinates closely with the Big Tech companies to lobby the government 
to delay or destroy measures that would actually protect users’ privacy”. 


Facebook too, has exhibited a lax mindset with respect to its users’ data-privacy'?. Former Cambridge 
Analytica AT/ data scientist Christopher Wylie warned in his 2019 book'4 “Facebook has too much 
unchecked power” (page 225). Wylie cautioned that digital/social media platform engineers do not 
have to “perform safety tests to conform to any regulatory platform codes before releasing their 
products” (page 236)!*. 


Facebook’s trackers are not only found in other organisation’s smart device apps, they are ubiquitous 
across the Internet embedded in websites. Additionally, digital marketing companies can make 
requests from other organisation’s websites. An example of third-party requests is illustrated from 
Patient Access!>, the online platform to book a GP appointment, message your surgery, or request a 
repeat prescription. In large font on Patient Access website the following statement is presented: 
“Take control of your healthcare” (Figure 2). The cookie banner displayed at the bottom of Patient 
Access’s webpage does not provide an opportunity for their website visitor to make an informed 
choice about this platform’s use of cookies. The cookie banner compels the user to accept cookies, 
without informing what cookies are present and why: “This website uses cookies. By continuing to 
use this site you are agreeing to its use of cookies”! (Figure 2). 


Using Webbkoll’®, a free online tool that “helps you check what data-protecting measures a site has 
taken to help you exercise control over your privacy”, we can see what cookies are present beneath 
Patient Access, and if any third-party requests are permitted from its platform. From Webbkoll’s 
analysis of Patient Access (Figure 3), it is shown that this online health services platform houses: 


e 8 first-party cookies 
e 45 third-party requests from 13 unique hosts 


The third-party requests for visitor data from Patient Access platform (Figure 3) include from: 


e Content (Amazon.com) 

e Content (Google) 

e FingerprintingGeneral, Advertising (Google) 
e FingerprintingGeneral, Analytics (Google) 


Digital ‘Fingerprinting’ as a third-party request on someone else’s website is a different type of user 
online tracking!’. In the digital advertising arena, the AdTech industry uses Fingerprinting to 
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“ensure a continuous connection with customers through personalized ads, marketing and 
advertising agencies track users across the world wide web”!”. 


Digital fingerprinting is also: 


“used to identify a person through his activity on different devices. It has become a 
powerful new tool for marketers and advertisers in reaching potential customers, aside from 
relying on web cookies to deliver targeted ads”!”. 


The Patient Access website (Figure 2) does not make it transparent to its website visitor that it 
allows third-parties, such as Google, to perform online tracking through a third-party request 
(Figure 3). 
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Figure 3: Webbkoll analysis of Patient Access online platform: https://bit.ly/3rKiFTs 


Amazon’s third-party request from Patient Access website, according to Webbkoll analysis (Figure 3) 
is not surprising, since this big tech company has entered into the healthcare market!®. 


Potential benefits of medical data sharing 


The premise underlying the justification to share medical data between research institutes, 
contributing to government departments’ needs to better maintain public health, is a noble idea. 
Involving commercial organisations could advance healthcare products reaching the market sooner. 
This can lead to state-of-the-art biotechnical solutions affording an improved quality of life for 
patients. For example, deep-brain stimulation (DBS!’) using artificial intelligence: implants in the 


17 The Traffic company: https://thetrafficcompany .net/blog/what-fingerprinting-online-marketing 
18 Amazon Care: https://amazon.care/ 
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brain to control the onset of tremors suffered by patients of Parkinson’s disease”. If sharing of 
medical data could realistically personalise healthcare, affording individuals to understand best 
dietary life easily and efficiently manage body weight, or reduce the disconnectedness and isolation 
that might lead to mental health issues, would we not welcome this? If medical data sharing leads to 
better understand deterioration in the brain resulting in memory impairment, and eradicate the 
contributory factors to dementia, who would want to resist this? If exchanging health information 
could eliminate heart disease, the different cancers and other human health ailments, including 
decelerating ageing affording mobility for longer, and increasing the quality of life in old age, should 
we not pursue this? 


The Department of Health and Social Care’s data strategy, for patient-centred care intent on sharing 
records to create “faster more specialised treatment” and “discover new treatments and insights to 
save lives”?! must be supported. And it can be when organisations preparing to use patients’ sensitive 
medical data apply a data-privacy-by-design philosophy at the heart of any medical data sharing. 
Since medical data is sensitive personal information about an individual’s health, the general public 
need to trust that their life will not be harmed through inaccuracy, delay, misunderstanding or 
discrimination. It is imperative to convey to the layperson that responsible, ethical research will be the 
foundation for the use and sharing of our data in all contexts, especially in the care of our health. 


Trust in the Government’s National Data Strategy 


One way to increase trust in order to boost medical data sharing among and across appropriate 
organisations is for the organisation’s digital presence to be more transparent, especially in their 
website cookie notices. GOV.UK’s webpage for the Centre for Data Ethics and Innovation (CDEI), 
part of the Department for Digital, Culture, Media and Sport, hosts a cookie banner across its digital 
page (Figure 4). GOV.UK’s cookie banner announces: 


“We use some essential cookies to make this website work.” 


“We'd like to set additional cookies to understand how you use GOV.UK, remember 
your settings and improve government services.” 


“We also use cookies set by other sites to help us deliver content from their services.” 


20 Kevin Warwick and Huma Shah. 2013. Selective deep-brain stimulation using AI. Chapter in (Eds) F. 
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Cookies on GOV.UK 


We use some essential cookies to make this website work. 
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Figure 4: GOV.UK webpage ‘centre for data ethics and innovation’ (CDEI): https://bit.ly/3nQZN3X 


To an individual member of the general public, that GOV.UK cookie banner (Figure 4) is not 
transparent about what precisely are the “essential cookies”, and what are the additional cookies? It is 
not clear what data specifically is being gathered when you visit this GOV.UK website. Additionally, 
the statement about “cookies set by other sites” suggests sharing of GOV.UK website visitor data with 
other organisations. Using the same free online tool used to analyse Patient Access website earlier, 
Webbkoll!®, that “monitors privacy-enhancing features on websites!®, the analysis shows that 
GOV.UK’s CDEI webpage contains one first-party cookie, but no third-party cookies. However, the 
GOV.UK’s CDEI webpage allows six third-party requests from one unique host. Webbkoll defines 
third-party requests as “a request to a domain that's not www.gov.uk or one of its subdomains”!6. The 
third-party request in this case shows a relationship with GOV.UK, and according to the Webbkoll!® 
tool, is from: assets.publishing.service.gov.uk . 


Improving the effectiveness of existing governance arrangements 


The data-privacy international project led by Coventry University, funded by the EU, CSI-COP” 
reverse-engineered a website development platform to create a privacy-by-design, no-tracking 
website”. As a citizen science project, CSI-COP involves reaching out to, and engaging, members of 
the general public to raise awareness about our human right to privacy online. The project offers the 
opportunity to acquire practical skills in privacy-self-management. This is gained through a free 
informal education course, Your Right to Privacy Online”‘. The course is available to complete in a 
learner’s own time, currently in ten different languages. The course is also being offered in half-day 
workshops leading to an informal education certificate. Learners are also encouraged to join the 
project researchers as volunteer citizen scientists investigating websites and apps for informed 
consent, and compliance with respect to the GDPR”. Early CSI-COP project findings show the 
websites of some publicly-funded organisations display opaque cookie notices and provide 
cumbersome privacy policies. Apps on smart devices too, are not free of bewildering requests for 
permissions, and some do not make it clear at the download stage what, if any, third-party trackers 
may be lurking in them. 


The first policy brief” emerging from the CSI-COP project recommends that websites created for EU 
funded projects should not allow third-party tracking. This contribution extends that recommendation 


22 CSI-COP: https://cordis.europa.eu/project/id/873 169 

23 CSI-COP privacy-by-design, no-tracking website: https://csi-cop.eu/ 
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to UK government related websites and apps, especially health related apps. These should be 
developed through a data-privacy-by-design practice that makes it clear and transparent what data will 
be passed on to third-parties and why. Questions from the author include ‘Why should third-parties be 
permitted to know when a health app user has logged in to the app without the user’s knowledge or 
consent? What do companies do with the data they gather from their analytics tool as third-parties on 
healthcare websites? Why do any healthcare apps or health websites allow third-party tracking? 
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